Arch RFC automated digital signing of os artifacts

Lounge Other distro news
1

This [1] goes way above my head, but perhaps some of the more knowledgeable people find it interesting:

Arch Request for comment:
Introduce a centralized, hardware backed solution for the digital signing of OS artifacts. Gradually replace the need for manual signing of artifacts throughout the distribution.

The stepwise plan in this document will eventually lead to changes for the following existing roles within Arch Linux staff:

  • Package maintainers will no longer sign packages using their individual OpenPGP private key.
  • The amount of OpenPGP certificates for main signing key holders to care for will be drastically reduced.
  • The DevOps team will have to monitor and administrate additional physical machines in a colocation.

New groups of people within Arch Linux staff will

  • collectively take care of the administrative credentials for the described system as holders of shares of a shared secret,
  • provide software upgrades for components of the system as developers of Signstar
  • and create releases for a central, image-based OS as developers of Signstar OS.

For details refer to the section changes for users and staff.

[1] https://gitlab.archlinux.org/dvzrv/rfcs/-/blob/feat/automated-signing/rfcs/0059-automated-digital-signing-of-os-artifacts.md?ref_type=heads

2

Wow. That proposal is a huge change of the inner workings.

3

“holders of shares of a shared secret”

I can smell troubles. :slight_smile:

Hope it stays a RFC, never implemented.

4

A shared secret that requires a sufficient number of holders is certainly better than the current system were one compromised holder can wreak havoc.